Not All Context in Threat Intelligence is Created Equal

Context has always been a critical delineator in threat intelligence. It’s what distinguishes data from information, information from intelligence, and the meaningless from the meaningful. But while the importance of context is irrefutable, there seems to be less of a consensus on what specific types of context intelligence should include in order to be relevant and actionable for decision makers.

Here are some guiding questions to help practitioners identify the optimal context to include in the intelligence they produce:

Does the intelligence reflect the confidence of its assessments?

The confidence of assessments and credibility of observations can be easily overlooked in threat intelligence—and this tends to be especially true when external data sources are involved. Remnants from past breaches have been known to resurface on paste sites, for example, often making it appear as if a new breach has occurred when it hasn’t. It’s also relatively common for inexperienced and/or attention-seeking threat actors who operate in certain illicit online communities to make false claims about their capabilities or accesses in an attempt to impress more sophisticated threat actors or gain access to more exclusive communities.

In other words, just because an actor on a cybercrime forum claims to have access to a corporate database, for example, doesn’t mean they necessarily do. As such, it’s imperative that intelligence analysts have the expertise necessary to assess and convey the relative credibility of observations like these, as well as the confidence of any related assessments, in their intelligence reporting. Such context can make all the difference in how intelligence consumers perceive and address these types of findings.

Who will consume the intelligence?

Intelligence on even the most groundbreaking, incisive findings is essentially pointless unless its intended consumers can truly understand it and how to action it. If those consumers are the C-suite, for instance, a report on the brand reputation implications of a recent data breach shouldn’t include an in-depth analysis of the malware involved in the breach. Such context, though likely very valuable for the network security, cyber threat intelligence (CTI), and incident response teams, would be neither relevant to the brand’s reputation nor actionable for the C-suite.

Instead, an overview of how the business’s customers were responding to the breach on social media, as well as how previous breaches have impacted similar brands’ reputations in the long-term, would be far more suitable. This type of context could help the C-suite inform its external communications strategy and devise a plan to recoup any consequential revenue losses, for example.

How does the intelligence relate to its consumer’s environment?

Keep in mind that context is what bridges the gap between an observation, such as a new strain of malware, and an environment, such as an enterprise network. Intelligence on a new strain of malware is only relevant and actionable for a CTI team, for example, if it includes details such as how threat actors are using the malware, how it operates, any vulnerabilities it exploits, and any associated indicators of compromise (IoCs).

Furthermore, it’s important to recognize that an intelligence consumer’s environment is rarely limited to the confines of their organization’s network or infrastructure. Many businesses have vast global footprints, extensive supply chains, and can be impacted by a number of social, economic, and geopolitical externalities. All of these factors should be key considerations when evaluating what context an intelligence report needs to include in order to be relevant and actionable for its intended consumer and their environment.

Lastly, aside from reinforcing the crucial role of context, the questions outlined above also highlight another core component of threat intelligence, as well as of security in general: communication. Indeed, in most cases, the best way for intelligence practitioners to identify what types of context their intelligence consumers truly need is simply to ask them.

Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.